Aside from reservation privileges, resource administration privileges must be explicitly set for each resource type. The easiest way is to assing rights to roles. This can be done on individual resources basis, too, but it is much more work and more difficult to maintain in the long term.

Each Infrabooking user, be they users or admins, has a role. The most common roles are

  • academic - Most users from Aalto fall into this category. Reservation rights to resources for performing academic work.
  • academic_ext - This is for academic users from other institutions, e.g. universities and schools of applied science.
  • commercial - Users from companies and researchers doing commercial work are assigned this role.

On top of these user roles, there are several admin roles. In general, an infrastructure would have two roles, 'infra admin' and 'device admin'. Device admins have administrative rights to resources that are availalable at that infrastructure, or a subset of those resources, and can accept user registrations etc. Infra admin have all the rights device admins have and some additional rights related to Infrabooking administration. For example Innovation & Industry Infrastructure has two admin roles, 'i3 device administrator' and 'i3 infrastructure adminstrator'.

Role based admin privilege management

Assigning users and admins privileges to book or administer resources one device at a time will get laborious very soon. To ease that pain, Infrabooking has roles that can be assigned to users, and adjusting role based access deploys the corresponding changes to all users who have that role. This is very handy when new branches are added to the resource tree. By default, no-one has rights to book or administer new resource types. An example: When PHYS department admins finally add their time machines to Infrabooking, they can grant user roles 'academic' and 'commercial' right to book the device, and admin roles 'PHYS device admin' and 'PHYS infrastructure admin' rights to administer those resources.

Full list of roles that have been defined is given further down this page.

First, open the Infrabooking management interface and navigate to Maintenance functions.

Select Administrative functions.

Click the "Role administration" tab near the top of the page.

You can click "Search" to show all roles that have been defined or search by role code or name.

Below is the beginning of the full list of roles and their corresponding base roles and privileges. Let't edit the role 'academic', which is the default for all Aalto users.

The first interesting thing in the settings is "Usage types". By default, Aalto's users can book device time only for academic work, which is listed as "Aalto Internal" in the list. Other usage types should be self evident.

If we want to change generic users' access to Bioanalytics resources, we can open the drop down menu and select something else than the default "Booking access". "Browsing access" allows seeing the resources in Infrabooking, but not make bookings. "Unconfirmed bookings only" option allow reservations, but they stay unconfirmed until device admin either confirms or cancels the reservation. "Admin access" and "No access" should be self-evident to anyone who makes it this far into this guide.

There is even more fine grained control of rights. The list above shows only top level resources types. Access can be controlled also by resources groups, which are subtypes to the top level. By clicking the "set buildings..." link and unchecking the "Same access to all buildings" box, we have the same options as above for each subtype. This is handy if for example Cell and Molecular Biology resources are all at CHEM, but Electrophoresis devices at PHYS. You can grant CHEM and PHYS admin roles rights to their respective resources.

(Yes, the admin interface talks about buildings instead of resource types and groups. This is a holdover from the past generations of the background system.)

Finally, save the changes you have made, and close the window.

Individual based admin privilege management

See: Setting permissions for device administrator (A CHEM example)

  • No labels